Understanding Local Traders Exploit

3 min read

Learn how the P2P Exchange Local Traders was exploited, resulting in a loss of 379.32 BNB.

TL;DR#

On May 23, 2023, the P2P exchange Local Traders was exploited on the BNB chain, resulting in a loss of approximately 379.32 BNB.

Introduction to Local Traders#

Local Traders is a platform offering peer-to-peer trading solutions to merchants and other users who want to explore diverse opportunities in cryptocurrencies.

Vulnerability Assessment#

The root cause of the vulnerability is a lack of permission checks in one of the functions of their smart contract.

Steps#

Step 1:

We attempted to analyse the attack transaction executed by the exploiter.

Step 2:

The function `0xb5863c10` lacked a permission check and could be called by anyone to modify the owner.

function 0xb5863c10(address varg0) public payable { 
    require(4 + (msg.data.length - 4) - 4 >= 32);
    require(varg0 == varg0);
    stor_0_0_19 = varg0;
    owner_1_0_19 = msg.sender;
    owner_2_0_19 = msg.sender;
    stor_3 = 0x2a1766f5d000;
}

Step 3:

As viewed from this transaction, the exploiter is able to modify the contract owner using the above faulty function implementation.

Step 4:

In this transaction, it can be seen that the attacker called the `0x925d400c` function to modify the price of the token to 1.

function 0x925d400c(uint256 varg0) public payable { 
    require(4 + (msg.data.length - 4) - 4 >= 32);
    0xcac(varg0);
    require(msg.sender == owner_1_0_19, Error('You are not admin'));
    stor_3 = varg0;
    return varg0;
}

Step 5:

The exploiter then called the getTokenPrice function of the contract, thereby purchasing LCT tokens at a low price, which were ultimately sold for a profit worth approximately 379.32 BNB, roughly amounting to $119,040.

Step 6:

At the time of this writing, all of the stolen funds are held at this address by the attacker.

Aftermath#

Following the exploit, the team acknowledged the occurrence of the incident and stated that they have been working with their security partners to investigate the breach, assess the extent of the damage, and implement a recovery plan for the same.

They further stated that they are trying to reach out to the hacker for a bug bounty settlement. The address controlled by the attacker has been reported and blacklisted by the majority of the exchanges, making it difficult for the hacker to cash out. The team will buy back the stolen assets in four chunks worth 100 BNB each and is currently working on a recovery model for all of the users affected by this exploit.

Solution#

It is critical to understand that no security measure is perfect, but implementing rigorous security standards can greatly reduce the risk of all such attacks on DeFi protocols. These standards can aid in identifying and addressing potential attack vectors before they are exploited by attackers.

Many formal verification tools can also be used to ensure that the smart contract behaves as it is intended to. Independent third-party auditors should conduct regular smart contract audits to identify vulnerabilities and recommend mitigation strategies.

We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with Local Traders had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.

Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.

Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.

Reference Source BeosinDedaub

By Tags